From 617588b165cd127ca843c999dd374ee69134bc8c Mon Sep 17 00:00:00 2001 From: 8bitpal Date: Mon, 29 Jun 2026 08:58:33 +0200 Subject: [PATCH] Document CanExecuteAs, CanReadAsAnyParty, CanExecuteAsAnyParty user rights The authorization page was missing three rights introduced after the original CanActAs/CanReadAs pair. Descriptions sourced from the Ledger API proto reference (lapi-proto-docs.rst). Closes #879 Signed-off-by: 8bitpal --- docs-main/appdev/deep-dives/authorization.mdx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs-main/appdev/deep-dives/authorization.mdx b/docs-main/appdev/deep-dives/authorization.mdx index 81004e063..152c338e1 100644 --- a/docs-main/appdev/deep-dives/authorization.mdx +++ b/docs-main/appdev/deep-dives/authorization.mdx @@ -56,7 +56,10 @@ The Ledger API uses the following rights to govern request authorization: - `participant_admin`: the right to administer the participant node - `idp_admin`: the right to administer the users and parties belonging the same identity provider configuration as the authenticated user - `canReadAs(p)`: the right to read information off the ledger (like the active contracts) visible to the party `p` -- `canActsAs(p)`: same as `canReadAs(p)`, with the added right of issuing commands on behalf of the party `p` +- `canActAs(p)`: same as `canReadAs(p)`, with the added right of issuing commands on behalf of the party `p` +- `canExecuteAs(p)`: the right to prepare and execute submissions as party `p`, without read access. A separate `canReadAs(p)` right is needed if reading is also required. This right is implicitly contained in `canActAs(p)`. +- `canReadAsAnyParty`: the right to read ledger data visible to any party on the participant. Intended for tools that need a continuous feed across all parties, such as PQS, without having to update subscriptions as parties are added or removed. +- `canExecuteAsAnyParty`: the right to prepare and execute submissions as any party on the participant. Intended for services that perform interactive submissions on behalf of many parties. The following table summarizes the rights required to access each Ledger API endpoint: